The Hacker News — Cyber Security, Hacking, Technology News

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

Source Code of Instagram website

SSL Certificates and Private Keys for Instagram

Keys used to sign authentication cookies

Personal details of Instagram Users and Employees

Email server credentials

Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.

The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.

Exposed EVERYTHING including Your Selfies

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram's Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.

Weinberg had inadvertently stumbled upon almost EVERYTHING including:

Instagram's source code

SSL certificates and private keys (including for instagram.com and *.instagram.com)

API keys that are used for interacting with other services

Images uploaded by Instagram users

Static content from the instagram.com website

Email server credentials

iOS/Android app signing keys

Other sensitive data

"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Weinberg wrote in his blog. "With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data."

Responsible Disclosure, but Facebook Threatens Lawsuit

Weinberg reported his findings to Facebook's security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.

In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.

Stamos "stated that he did not want to have to get Facebook's legal team involved, but that he was not sure if this was something he needed to go to law enforcement over," Weinberg wrote in his blog in a section entitled 'Threats and Intimidation.'

In response, Stamos issued a statement, saying he "did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired."

Stamos said he only told Kaplan to "keep this out of the hands of the lawyers on both sides."

"Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk," Stamos added.

Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

Here's the full statement by Facebook:

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn't pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers' hard work.

Someone just found an iOS zero-day vulnerability that could allow an attacker to remotely hack your iPhone running the latest version of iOS, i.e. iOS 9.

Yes, an unknown group of hackers has sold a zero-day vulnerability to Zerodium, a startup by French-based company Vupen that Buys and Sells zero-day exploits.

And Guess what, in How much?

$1,000,000. Yes, $1 Million.

Last month, a Bug bounty challenge was announced by Zerodium for finding a hack that must allow an attacker to remotely compromise a non-jailbroken Apple device through:

A web page on Safari or Chrome browser,

In-app browsing action, or

Text message or MMS.

Zerodium's Founder Chaouki Bekrarconfirmed on Twitter that an unnamed group of hackers has won this $1 Million Bounty for sufficiently submitting a remote browser-based iOS 9.1/9.2b Jailbreak (untethered) Exploit.

NO More Fun. It's Serious Threat to iOS Users

For those who are not aware, this remote Jailbreak is not really cool.

Why? Because…

The only difference between a malicious cyber attack and Jailbreak is – Payload, the code that executes on target system after exploitation.

A traditional jailbreak process is usually used to deploy an alternative App Store, but in hands of Hackers or law enforcement agencies, the same exploit can allow them to install any app they want with full privileges i.e. Spyware, Malware or Surveillance software.

Moreover, We know that Zerodium's parent company Vupen develops hacking techniques based on those bugs and typically sells them to multiple government customers.

So, the chances are high that the firm will resell the newly discovered and undisclosed remote iOS zero-day jailbreak exploit to its clients, which are said to include Spy agencies, Governments, and Law enforcement agencies.

Your Turn, Apple…

Let's see how much time Apple security team will now take to find out this open zero-day bug in its software and close the doors before it gets too late.

2. Angler Exploit Kit Campaign Generating $30 Million Took Down

Researchers took down a large ransomware campaign connected to the Angler Exploit Kit that was making an estimated $30 Million a year in revenue for hackers.

The hacker or group of hackers generating $30 Million annually is responsible for up to 50% of Angler Exploit Kit activity, which simply means that the rest of Angler kit business might be generating revenue of more than $60M annually for hackers worldwide.

4. How to Activate GodMode in Windows 10

God Mode – also known as 'Windows Master Control Panel Shortcut' – is an inbuilt, but hidden Windows' feature that provides additional customization options for the Microsoft’s newest operating system.

Enabling God Mode in Windows 10 essentially unlocks a backdoor of the operating system to access 260+ additional settings from a single folder.

5. British Agency Can Hack Any Smartphone With Just a Text Message

The British Intelligence Agency GCHQ has powers to hack any smartphone devices with just a text message, said the former NSA contractor and global surveillance whistleblower Edward Snowden.

According to Snowden, GCHQ have special tools that let it take over your smartphones with just a text message and there is "very little" you can do to prevent the spying agency having "total control" over your devices.

For the full interview of Edward Snowden with BBC investigative programme Panorama – Read more…

6. Kemoge: Latest Android Malware that Can Root Your Smartphone

A new strain of malware, dubbed 'Kemoge Malware', has made its debut as an Adware on Android devices, allowing third-party app stores to pilfer your device's information as well as take full control of it.

Kemoge is an Adware in the disguise of popular Android Apps. The malware is distributed in the names of popular apps, but actually repackages the malicious code that even has the capability to root victims’ phones, targeting a wide range of device models.

For more information on How does Kemoge Work and How to protect against it – Read more…

7. Microsoft Rewarded $24,000 Bounty to Hacker

Synack security researcher Wesley Wineberg won $24,000 from Microsoft for finding and reporting a critical flaw in Microsoft’s Live.com authentication system that could allow hackers to gain access to victims’ complete Outlook account or other Microsoft services.

Wineberg developed a ‘proof-of-concept’ exploit app, named 'Evil App', that allowed him to bypass Microsoft’s OAuth protection mechanism, effectively gaining access to everything in victim's account.

8. End of the Most Widely used SHA-1 Hash Algorithm

One of the Internet's widely adopted cryptographic hash function SHA-1 is counting its last breaths.

Researchers have claimed that SHA-1 is vulnerable to the Collision Attacks, which can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1.

For in-depth information on Collision attacks and how does it work – Read more…

9. Brute Force Amplification Attack Targeting WordPress Blogs

Security researchers have discovered a way to perform Amplified Brute Force attacks against WordPress' built-in XML-RPC feature in an effort to crack down administrator credentials.

XML-RPC protocol is used for securely exchanging data between computers across the Internet. It uses the system.multicall method that allows an application to execute multiple commands within one HTTP request.

The same method has been abused to amplify Brute Force attacks many times over by attempting hundreds of passwords within just one HTTP request, without been detected.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Sanmay Ved – the man who actually managed to buy Google.com got a huge reward from Google, but he donated all money to charity.

Last week, an ex-Google employee and now-Amazon employee managed to buy the world's most-visited domain Google.com via Google's own Domains service for only $12.

However, Ved owned Google.com for one whole minute before the Mountain View company realized it was a mistake and cancelled the transaction.

After acknowledging the mistake, Google rewarded Ved with some unknown amount of cash, but when Ved generously suggested donating his prize money to charity instead, Google just doubled the reward.

Google Rewarded Ved with More than $10,000

Ved believed that his real reward was just being the person who bought Google.com for a whole minute.

"I do not care about the money," Ved told in an interview with Business Insider. "It was never about the money. I also want to set an example that [there are] people who [wish] to find bugs that it's not always about the money."

Ved donated his reward to "The Art of Living India," an Indian foundation that focuses on providing education to poorer areas of the country.

Ved did not disclose the exact sum of cash Google had awarded him, but he did say that the amount was more than of $10,000.

Facebook bounty hunter Laxman Muthiyah from India has recently discovered his third bug of this year in the widely popular social network website that just made a new record by touching 1 Billion users in a single day.

At the beginning of the year, Laxman discovered a serious flaw in Facebook graphs that allowed him to view or probably delete others photo album on Facebook, even without having authentication.

Just after a month, Laxman uncovered another critical vulnerability in the social network platform that resided in the Facebook Photo Sync feature, that automatically uploads photos from your mobile device to a private Facebook album, which isn’t visible to any of your Facebook friends or other Facebook users.

However, the flaw discovered by Laxman could allowed any third-party app to access and steal your personal photographs from the hidden Facebook Photo Sync album.

Hacking Any Facebook Page

Now, the latest bug in Laxman's list could allow attackers to take over control of your Facebook pages.

This time Laxman has found an issue with the "Facebook business pages" that are not specific to a single user account, but instead represent a business and are usually managed by a number of users.

However, Laxman could allow third-party apps to take complete control of a Facebook business page with limited permissions, possibly making the victim permanently lose administrator access to the page.

Here's How:

Third party Facebook applications are capable of performing all sets of operations, including post status on your behalf, publishing photos, and other tasks, but Facebook doesn't allow them to add or modify page admin roles.

Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps.

However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.

A group of China-backed hackers believed to be responsible for high-profile data breaches, including the U.S. Office of Personnel Management and the insurance giant Anthem, has now hit another high-profile target – United Airlines.

United detected a cyber attack into its computer systems in May or early June; Bloomberg reported, citing some unnamed sources familiar with the matter.

The same sources say that the hackers responsible for the data breach in United's systems are the same group of China-backed hackers that successfully carried out several other large heists, including the United States' Office of Personnel Management and the health insurer Anthem Inc.

Dangerous Intentions: United Airlines Data Breach

The stolen data includes manifests, which contain information on flights' passengers and their origins and destinations, meaning that the hackers have "data on the movements of Millions of Americans."

Since United Airlines is the world's second-largest airline and major contractor for U.S. government travel, experts say that the vast cache of information could be used to track the movements of specific government or military officials.

Bloomberg also speculated that the combination of security-clearance records from OPM, insurance records from Anthem, and now travel records from United, could be used by hackers to blackmail Americans working in defense and intelligence.

A critical vulnerability has been discovered in the official Apple’s App Store and iTunes Store, affecting millions of Apple users.

Vulnerability-Lab Founder and security researcher Benjamin Kunz Mejri discovered an Application-Side input validation web vulnerability that actually resides in the Apple App Store invoice module and is remotely exploitable by both sender as well as the receiver.

The vulnerability, estimated as high in severity, has been reported to Apple Security team on June 9, 2015 and the company patched the issue within a month.

How the vulnerability works?

By exploiting the flaw, a remote hacker can manipulate the name value (device cell name) by replacing it with a malicious script code.

Now, if the attacker buys any product in the App Store or iTunes Store, the internal app store service takes the device value (which is actually the malicious code) and generates the invoice which is then sends to the seller account.

This results in an Application-side script code execution in the invoice of Apple.

In addition, remote hackers can manipulate the vulnerability through persistent manipulated context to other Apple store user accounts.

"The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers," says the researcher. "The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity."

Successful exploitation of the bug could allow an attacker to perform a number of sensitive tasks, including

What if you get 1 Million Frequent Flyer Miles for Free? Yes, 1 Million Air Miles…

…I think that would be enough for several first-class trips to Europe or up to 20 round-trips in the United States.

Two Computer Hackers have earned more than 1 Million frequent-flyer miles each from United Airlines for finding multiple security vulnerabilities in the Airline's website.

Back in May this year, Chicago-based 'United Airlines' launched a bug bounty program and invited security researchers and bug hunters to find and report security vulnerabilities in its websites, software, apps and web portals.

Jordan Wiens, a security researcher from Florida and one of two bounty winners, tweeted last week that he earned United Airlines' top reward of 1 Million Miles for finding a flaw that could have allowed a hacker to seize control of one of the airline's websites.

Wiens is not allowed to disclose the technical details regarding the vulnerabilities, but in an email Interview with The Hacker News, Jordan Wiens told that he earned total 1,250,000 Million Frequent Flyer Miles under United Airlines' Bug bounty program.

One Million Miles for reporting a serious Remote Code Execution (RCE) vulnerability in the United Airlines website.

Another 250,000 Frequent Flyer Miles for finding few more vulnerabilities in its website, including an information leakage bug.

Wiens has also confirmed The Hacker News that the flaws he reported to the Airlines were remotely exploitable.

The question here is -- "Could any of these bugs let an attacker to steal users’ data or has any ability to directly impact the flight system?"
To which, Wiens replied, "Unfortunately I have no idea what I could have done with it because I didn't actually exercise the flaw and find out what restrictions might have been enabled server-side."

United spokesman Luke Punzenberger said, "We're confident that our systems are secure," and they have patched all the backdoors into their systems before hackers could find and exploit them.

In the Tech World, supporting and running a bug bounty program is a significant step forward for online security, and such initiatives will definitely cost the airlines less than hiring high-profile consultants.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

If you are a security researcher and fond of traveling from one conference to another, then United Airlines' bug bounty program would be of great interest for you.

United Airlines has launched a new bug bounty program inviting security researchers and bug hunters to report vulnerabilities in its websites, apps and web portals.

Bug bounty programs are very common among technology firms, including Google and Facebook, who offer you hundreds of thousands of dollars as rewards for exposing security flaws and errors in their products.

So, what’s different in United Airlines new bug bounty?

The most interesting part of this bug bounty program is – Instead of offering cold, hard cash, United Airlines is offering air miles as the reward for yours.

Let’s see what United Airlines says about its bug bounty program:

"At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure," said the company.

"We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps, and online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort."

The classification of the bug bounty rewards:

The rewards range from 50,000 air miles to 1 Million air miles. The worse the vulnerability you discover, the more miles you win.

Medium-severity flaw includes authentication bypass, denial-of-service attacks, brute-force attacks and security issues that could lead to the disclosure of personally identifiable information are worth 250,000 air miles per vulnerability.

The top prize, a Million-mile payout, will be rewarded to researchers who will find high-severity vulnerabilities related to issues that would lead remote code execution on United's online properties.

However, there are some important rules by United Airlines that are worth keeping in mind too.

One important rule to note is that the bug bounty program specifically doesn’t cover vulnerabilities in its "onboard Wi-Fi, entertainment systems or avionics" systems, thus don’t do ahead digging out bugs while you are in-flight.

It doesn’t mean that United Airlines do not consider such vulnerabilities as serious, but it really don’t want to encourage researchers attempting to find bugs in a plane that is flying at 30,000 feet.

Don’t mess with in-flight systems

One such example United recently introduced as part of the small print, when they removed security researcher Chris Roberts from a flight for a joke tweet made by him about possible in-flight vulnerabilities.

Accidentally crashing flight’s ticketing server means lost revenue or accidentally crashing a flight’s avionics potentially means lost of lives. So according to the fine print, these types of attempts would considered possibly under criminal investigation.

Moreover, vulnerabilities only exist on unsupported operating systems or browsers are not considered to be eligible for the bounty program.

Although, it’s good to see that United Airlines is welcoming vulnerability reports from researchers and rewarding them for their work that shows their keenness to protect their customers’ privacy and prevent hackers from exposing their databases or other sensitive details.

If you’re a bug hunter and love playing with codes than you could grab as much as US$15,000 from Microsoft for finding out vulnerabilities in its latest Project Spartan browser.

Yes, $15,000!

It seems like Redmond don’t want to take a chance to let hackers and cyber criminals get their hands on the company’s latest Windows 10 operating system.

On Wednesday, Microsoft announced that the company will be expanding its bug bounty program ahead of the release of Windows 10, which will include a two-month hunt for vulnerabilities in its new web browser, Project Spartan.

So, it's time for security researchers and hackers to earn extra cash from Microsoft.

For those who are unaware… What’s Project Spartan?

Project Spartan is Microsoft’s project for its new web browser to replace the oldest Internet Explorer from its Windows operating system.

Though the project is still very much under the developmental stage, Microsoft is making every effort to make Spartan better and better as a browser.

The day Microsoft launched this project till now, the browser has received as much steady stream of improvements as it could give a tough competition to Google’s Chrome web browser.

As it is said, the first impression is the last impression. Therefore, the technology giant is offering several payout categories which starts from $500 and ends with the top reaching bug bounty amount of $15,000 (11,000 Euro) for eligible vulnerabilities in Spartan, which includes…

Microsoft is also offering up to $100,000 USD to bypass active mitigations (such as ASLR and DEP) in the company’s latest released version of the operating system, and "a bonus of up to $50,000 USD for actionable defense techniques to the reported bypass," Microsoft says.

So play, discover and submit your findings by including all your details in an email to secure@microsoft.com based on the company’s requirements on this page.

A security researcher has discovered a critical vulnerability in Google-owned YouTube that could allow anyone to make the comment posted by any celebrity or public figure on some YouTube video appear on his or her own YouTube video, impersonating that celeb.

Again a small trick in the popular video sharing website could allow anyone to play with the comments posted by users on YouTube videos.

Ahmed Aboul-Ela and Ibrahim M. El-Sayed, two Egyptian security researcher, found a simple trick that allowed him to copy any comments from any video on the popular video sharing website to his video, even without any user-interaction.

Not only this, but also:

This vulnerability allows you to spoof, duplicate or copy the comments on discussion boards from any YouTube channel and make it appear as the comments on your video or as a comment on your YouTube channel’s discussion board.

How did this happen?

While testing the reviewing comments feature, the researcher noticed that the comments posted to any video on YouTube can be controlled by the author of that YouTube channel by changing the settings to "Hold all comments for review" before it gets posted.

After enabling this option, all the comments posted by different users on your video will be listed in a new tab on https://www.youtube.com/comments with an option to approve or remove it.

Now:

When you approve any listed comment and intercept the HTTP request, you’ll find a comment_id and a video_id in the POST parameter.

If you change the video_id with any distinct video_id value, you’ll get an error.

But, Here’s the deal:

If you change only the comment_id to any other comment_id value on any YouTube video, keeping the video_id untouched, the request will get accepted by YouTube, and the comment will appear on your YouTube video.

However, this does not remove the original comment from the original video and even the author of the comment does not get notified that his comment is copied onto another video.

You can also watch the video demonstration of the YouTube vulnerability below:

Of course, the vulnerability have been fixed after the researcher reported it to Google. The search engine giant also paid Aboul-Ela a cash reward of $3,133.7 under its bug bounty scheme for finding and reporting the critical issue to the company.

A security researcher has discovered a simple but critical vulnerability in Google-owned YouTube that could be exploited by anyone to knock down the whole business of the popular video sharing website.

Kamil Hismatullin, a Russian security bod, found a simple logical vulnerability that allowed him to delete any video from YouTube in one shot.

While looking for Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) flaws in YouTube Creator Studio, Hismatullin came across a simple logical bug that could wipe up any video by just sending an identity number of any video in a post request against any session token.

The bug was simple but critical as it could be exploited by an attacker to fool YouTube easily into deleting any video on its system.

"I've fought the urge to [delete] Bieber's channel," Hismatullin wrote in his blog post. "Luckily no Bieber videos were harmed."

Citing the consequences of the issue, Hismatullin said "this vulnerability could create utter havoc in a matter of minutes in [attackers'] hands who could extort people or [just] disrupt YouTube by deleting massive amounts of videos in a very short period of time."

The researcher reported the bug to Google, and the search engine giant fixed the issue within several hours. Hismatullin won $5,000 cash reward from Google for finding and reporting the critical issue and an extra $1337 under the company’s pre-emptive vulnerability payment scheme.

Over a month ago, a similar bug was reported in Facebook's own systems that could have exploited by attackers to delete any photo from anyone’s Facebook account. However, the social networking giant fixed the relatively simple issue.

Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites.

While testing all the company's application, Mark Litchfield, a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!'s products. All the three vulnerabilities have now been fixed by Yahoo!.

THREE CRITICAL SECURITY VULNERABILITIES

The first and most critical vulnerability gives hackers full administrator access to Yahoo!'s e-commerce platform, Yahoo! Small Business, a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise.

According to the researcher, the flaw in the service allowed him to fully administrator any Yahoo store and thereby gain access to customers' personally identifiable information, including names, email addresses, telephone numbers.

BUG ALLOWS FREE SHOPPING

Beside allowing hackers full admin access to the web stores, the vulnerability could also leverage an attacker to rig a user-run eCommerce web store to let them shop for free, or at a huge discount, Litchfield claimed.

"We could also shop for free by either changing the prices, or creating our own discount code," Litchfield said in an email describing the attack. "Also, we could place an order, then once received, go and refund our money."

A separate but related vulnerability in Yahoo! Stores, second flaw discovered by Litchfield, allows an unauthorized user to edit Yahoo-hosted stores through the app, thereby creating a means for hackers to hijack an online website store.

Last but not the least, Litchfield discovered a critical vulnerability in Yahoo’s Small Business portal that allows hackers to seize administrative access to Yahoo!-hosted websites and gain full, unauthorized access to them.

The Internet giant patched all the three bugs two weeks ago after Litchfield publicly released details and proof of concepts for the exploits on Bug Bounty HQ, a community for Bug Bounties website, established by Litchfield last month for fellow hunters to share their findings.

'ON DEMAND PASSWORD'
At recent SXSW session, Yahoo! launched 'on-demand passwords,' which it says will eliminate the need for you to ever remember your email password. Whenever you need it, the company will send you a OTP (one time password) via SMS to your mobile phone.

It's sort of two-factor authentication—without the first factor involved, as there is no need of any log-in password to enter by a user. In order to opt-in for the feature follow some simple steps:

Sign in to your Yahoo email account.

Click on your name at the top right corner to access your account information page.

Choose Security in the sidebar.

Click on the slider for on-demand passwords, in order to opt-in.

Enter your phone number and Yahoo will send you a verification code.

Enter the code.

Now, next time whenever you will sign in into your email account, Yahoo will send a password via an SMS to your phone when you need it.

Also, the end-to-end email encryption that Yahoo! promised will be available soon by the end of this year. The company gave its first demonstration of the locked down messaging system at SXSW session, and it is also delivering early source code for security researchers to analyze.

A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.

Security Researcher Laxman Muthiyah told The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted."

DELETING FACEBOOK PHOTO ALBUMS

According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.

"I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API," he said.

In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only. However, Laxmandiscovered that his own "access token" generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.

In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app.

A critical cross-site scripting (XSS) vulnerability in the Google Apps administrator console allowed cyber criminals to force a Google Apps admins to execute just about any request on the https://admin.google.com/ domain.

The Google Apps admin console allows administrators to manage their organization’s account. Administrators can use the console to add new users, configure permissions, manage security settings and enable Google services for your domain. The feature is primarily used by many businesses, especially those using Gmail as the e-mail service for their domain.

The XSS flaw allowed attackers to force the admin to do the following actions:

Creating new users with "super admin" rights

Disabling two-factor authentication (2FA) and other security measures from existing accounts or from multiple domains

Modifying domain settings so that all incoming e-mails are redirected to addresses controlled by the attacker

Hijack an account/email by resetting the password, disabling 2FA, and also removing login challenges temporarily for 10 minutes

This new zero-day vulnerability was discovered and privately reported by application security engineer Brett Buerhaus to Google on September 1 and the company fixed the flaw within 17 days. In exchange for the report, Google paid the researcher $5,000 as a reward under its bug bounty program.

According to the researcher, when users access a service that hasn’t been configured for their domain, they are presented with a "ServiceNotAllowed" page. This page allows users to switch between accounts in order to log in to the service.

However, when one of the accounts was selected, a piece of JavaScript code was executed in an attempt to redirect the user’s Web browser. JavaScript code could be supplied by the user in the "continue" request parameter of the URL, which allowed XSS attacks.

"The continue request parameter is fairly common request variable in the Google login flow," Buerhaus explained in a blog post published on Wednesday. "This is the only page that I could find that did not validate the URL passed into it. This allowed you to craft Cross-Site Scripting attacks by using "javascript:" as part of the URL and it would execute when the browser location is redirected."

Patching the vulnerability on the 17th day after reported to the company shows the search engine giant’s concern to secure its software and users as well.

However, the recent vulnerability troubles visited Microsoft exposed one-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 operating systems, reported by Google’s Project Zero team. Microsoft wasn't able to fix the security flaws in its software even after a three-month-long time period provided to the company.

Till now, a number of large technology companies have bug bounty programs to reward researchers and cyber enthusiast who contribute in the security of Internet by finding out security holes in software or web platforms, and the social networking giant Facebook is the latest one to do so.

Facebook and Usenix have together implemented the Internet Defense Prize — an award recognizing superior quality research that combines a working prototype with great contributions to securing the Internet, Facebook announced Thursday at the annual USENIX Security Symposium in San Diego.

Also, Facebook announced the first award under its Internet Defense Prize, and crowned a pair of German researchers for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications” — a seemingly viable approach to detecting vulnerabilities in web applications.

The duo used static approach to detect “Second-order vulnerabilities” in web applications that are used to impose harm after being stored on the web server ahead of time. Second-order vulnerabilities involve uploading malicious script/payload to the targeted web servers, allowing an attacker to exploit it remotely.

“For example, XSS attacks that target the application’s users are worse if the payload is stored in a shared resource and distributed to all users,” paper explained.

It is very difficult to detect Second-order vulnerabilities when analyzing the source code statically, but "By analysing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data," said researchers, who revealed 159 second-order vulnerabilities in six popular web applications including several critical zero-day holes.

The researchers, Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany, received $50,000 prize money by an award committee made up of Facebook and USENIX representatives. The committee saw a "clear path" for using the money to build the research into technology that could be implemented in the real world.

The Internet Defense Prize is an ongoing program and the committee is soliciting new entries for a future prize, according to John “Four” Flynn, a security engineering manager at Facebook who served on the Award Committee for the Internet Defense Prize.

"We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people," Flynn wrote in a blog post. "Our answer is the Internet Defense Prize, an award to recognize superior quality research that combines a working prototype with significant contributions to the security of the internet — particularly in the areas of protection and defense."

The committee is inviting researchers and security enthusiasts to submit their work to Facebook for consideration to be a future recipient of the Internet Defense Prize, and said that the award amount may increase depending on the strength of the submission, or it may hold onto the funds if no project meets the bar.

Last November, Facebook has also helped create the Internet Bug Bounty, similar to the Internet Defense Prize, in order to reward researchers for finding large-scale Internet vulnerabilities in open source software projects. The Internet Bug Bounty is hosted by HackerOne, which also includes other large companies such as Microsoft and Google.

Another privacy issue has been discovered in Google Drive which could have led sensitive and personal information stored on the cloud service exposed to unauthorized parties.

The security flaw has now patched by Google, but its discovery indicates that the vulnerability of cloud data when accessed via a link can allow “anyone who has the link” to access your private data without any further authentication.

HOW THE SECURITY FLAW WORKS

The security hole addressed a risk to files that included a clickable URL on your cloud file sharing service.

When someone opens the file and clicks on an embedded hyperlink, then they get sent to the website of a third-party website owner.

Upon accessing this URL, unfortunately the external Internet user - an unauthorized party - could potentially access your sensitive information by accessing the original documents that included the URL.

GOOGLE EXPLANATION

Google explained the actual nature of the security flaw in a blog post published last week. The company said that the flaw only affected a "small subset of file types” in Google Drive.

The security issue is relevant only if all four of these conditions apply:

The file was uploaded to Google Drive

The file was not converted to Docs, Sheets, or Slides (i.e., remained in its original format such as .pdf, .docx, etc.)

The owner changed sharing settings so that the document was available to “anyone with the link”

The file contained hyperlinks to third-party HTTPS websites in its content

If all the above mentioned conditions applied, a user who clicked on the embedded hyperlink could have inadvertently sent header information to the administrator of the third-party websites, allowing him or her to potentially see the URL of the original document that linked to his or her site.

But Google assured its users that the newly shared documents with hyperlinks to third-party HTTPS websites, will not inadvertently relay the original document’s URL.

HOW TO PROTECT YOURSELF

At the same time, If you've got any of yours previously shared documents that match any of those above four criteria, Google says you can generate a new and safe sharing link by following just three simple steps:

Create a copy of the document, via File > "Make a copy..."

Share the copy of the document with particular people or via a new shareable link, via the "Share" button

Delete the original document

The security flaw is similar to Dropbox hyperlink disclosure vulnerability discovered earlier this year by Intralinks. The hyperlink disclosure vulnerability in the Dropbox led to the exposure of personal documents and all sorts of stuff such as such as tax returns, bank records, mortgage applications, blueprints, and business plans, stored in Dropbox that you would not want to disclose.